ReCAPTCHA library - ignited

[eluser]JayTee[/eluser]
Hello,

I've created a CI implementation of the reCAPTCHA service (http://www.recaptcha.net)

http://codeigniter.com/wiki/ReCAPTCHA/

The most up-to-date version was written for CI 2.0

Technically speaking, this should still work for CI 1.7.X - but you'll need to adjust the controller syntax slightly to match the new CI way of doing things.

[eluser]zauber[/eluser]
Sorry - I really don't mean to put down your hard work - this is not a reflection on your code, just on the use of captchas in general. It should be noted that they've recently been broken. Spammers are relaying captchas to pornsites where visitors are tricked into solving them with the promise of free porn if they do. The solution is then relayed back to the spammer.

So only use captchas if: 1) you are aware that its only a stumbling block, and don't care because you're monitoring your system anyway - or 2) for a time delay preventing dictionary attacks on logins, etc, PROVIDED you have a really, really good captcha generator, and enforce a strong password complexity policy.

Besides that: good work! I'm new to the community and am happy to see that it's such a vibrant and sharing one. Hope to share some of my own someday soon.

[eluser]JayTee[/eluser]
[quote author="zauber" date="1197954053"]Sorry - I really don't mean to put down your hard work - this is not a reflection on your code, just on the use of captchas in general. It should be noted that they've recently been broken. Spammers are relaying captchas to pornsites where visitors are tricked into solving them with the promise of free porn if they do. The solution is then relayed back to the spammer. [/quote]
No offense taken. I agree that spammers are taking over and rendering a lot of captchas useless. I haven't found this to be the case for recaptcha.

[quote author="zauber"]
So only use captchas if: 1) you are aware that its only a stumbling block, and don't care because you're monitoring your system anyway - or 2) for a time delay preventing dictionary attacks on logins, etc, PROVIDED you have a really, really good captcha generator, and enforce a strong password complexity policy.[/quote]
This is good advice from a security perspective though I can't say I agree with it 100% ("all generalizations are false", hehe).

I'd recommend taking a look at how recaptcha works - it's actually very good with regards to being more difficult to hack.

[quote author="zauber"]Besides that: good work! I'm new to the community and am happy to see that it's such a vibrant and sharing one. Hope to share some of my own someday soon.[/quote]
Yes, this is a great place for collaboration and sharing. I look forward to your contributions

[eluser]zauber[/eluser]
Yeah, having looked at recaptcha's images briefly, I'd agree with you and say they're pretty tough to beat. Nevertheless they are vulnerable to being solved by real human beings who don't know they're helping spammers. As such I wouldn't trust any captcha for an unmonitored account-creation form or similar.

They DO look good enough for a login form as a brute force protection system (I doubt crackers are getting a lot of speed out of the porn-surfers-solution). But then again, that all depends on how hardcore you want to go on security.

I only even mentioned it because I've recently been charged with hardening security in our applications at work (a field somewhat unfamiliar to me previously), so my head has been full to the brim with security concerns lately . My eyes just automatically landed on this thread because captchas were in the title, and I had to vent

So sorry again for not staying on the topic of your code I sincerely hope someone with a need and a mind for testing will come along shortly. Good luck

[eluser]Nick Husher[/eluser]
One amusing method of doing turing tests is to grab a large pool of thumbnail images off of Flickr every month, read their tags, then set up a system wherein the user must select three images that all contain the same subject material. For instance, run a server-side flickr query for things like 'dry desert scene', 'fruit oranges', 'alchohol spirits', 'cold water', etc. Cache them based off of some random hash unrelated to their subject material. On the frontend, present nine thumbnails of images with the question, "Which three of these images contains or represents dry?" Three of the thumbnails would be pulled from the 'dry desert scene' pool while the rest would be from subjects opposed to that, such as 'cold water.'

It's a good turing test because computers aren't able to algorithmically determine the answer--without polling large portions of flickr's many billions of photos, anyway, which they will get shut down by--and you're updating your photo album every 30 days with new imagery, which should discourage human-informed bot spamming.

I've seen this idea used, but I've never seen it done very well.

[eluser]zauber[/eluser]
hehe, yeah - I've seen similar things too, but as you say: never done well. I guess the problem is you have to make the problem hard enough to guess so that there's no point just answering randomly. That would require a large number of images, making the captcha too overbearing on "real" users.

[eluser]kamilko[/eluser]
Sorry for my 0.03cents but captchas whatever they are - simply suxx
I have some problems with my eyes and I know, that someday my eyes will be worst than spamer engine of captchas recognitions.

Here is example how forms works without captchas: http://15daysofjquery.com/safer-contact-...ptchas/11/
And here is another example - what you could do fighting with spammers: http://sblam.com/en.html

Both examples are much better than all of captchas of the web, so please don't promote bad behaviour on the web - captchas make web much worst trash than it is.

Thanks

[eluser]JayTee[/eluser]
I'm rather surprised at the negative responses.

My guess is that the reCAPTCHA site isn't clear on how their service is "better" than most other CAPTCHAs out there. Here's my brief synopsis:

1. You need a private and public key. This keys are used to identify you with their servers.
2. If a h4x0r decides to remotely host your form, they would also need to spoof your domain to even get an image to show up.
3. Even if they *do* get an image to show up, the private key is needed to verify that the text (or numbers, for the audio challenge) entered are being checked from the right source.
4. The word challenges are typically in plain English so they are easier for a human to read. This is because we (humans) are able to "fill in the gaps" and figure a word out when some letters are difficult to read.
5. It works even with cookies and javascript disabled
6. It works for visually impaired users (audio challenge option)

My intent was to provide a library in CI to make it easier for people to use the reCAPTCHA service.

I appreciate the feedback on the general use of CAPTCHA technologies. I think that the discussion is derailing the contribution, however, and may be better suited for another part of the CI forums.

Thanks

[eluser]xwero[/eluser]
There is no 100% security but i think this should be discussed in another topic because now it seems JayTee did something bad creating an easy way to use recaptcha.

Looking at the class i couldn't see a way to change the theme other than in the configuration file. For example two pages that use the class but they have a different colorscheme it would be nice to change the recaptcha theme accordingly.

And i'm wondering why you added the recaptcha urls to the config file, not in the library construct. I don't think they are going to change often?

On the wiki could you document how to challenge recapcha, maybe integrate it in the CI error string.

I've checked the recaptcha site and the error messages are only in case there is an error using the functionality, there is no error message that states the input is wrong or am i reading over it. So the error messages or not for public consumption. Maybe you should make a language file to have two error messages : false-input and false-recaptcha. When the latter error is raised the developer can choose to add a log message of some sort.

i'm also wondering why you added the recaptcha_get_signup_url method.

I hope you find some inspiration to develop the library further.

[eluser]JayTee[/eluser]
Excellent feedback I'll probably get an update uploaded within the next day or so. This first iteration is really just a mirror copy of the PHP library provided on recaptcha.net. I was in a hurry to get it implemented for a guy, so I didn't do much modification to their code. I'll be doing a larger cleanup effort tonight/tomorrow.